MedusaLocker

Malware updated 25 days ago (2024-08-14T10:18:18.621Z)

Download STIX

Preview STIX

MedusaLocker is a potent malware variant, first observed in 2019 and primarily targeting the healthcare sector. It gained notoriety during the COVID-19 pandemic when it leveraged the disorder and confusion to launch attacks, as reported by the US Department of Health and Human Services in February 2023. This ransomware is distinct from Medusa, a Ransomware-as-a-Service (RaaS) platform that has been active since late 2022 and often uses the double extortion method for monetary gain. Both MedusaLocker and Medusa have been prevalent in Singapore's threat landscape, reflecting global trends. PCrisk discovered a new variant of MedusaLocker in 2024, which appends the .crypto1317 extension to encrypted files and drops a ransom note named "How_to_back_files.html". The malware operates by terminating specific services referenced in a hardcoded list, similar to other types of ransomware. After gaining initial access, MedusaLocker spreads through a network via a batch file executing a PowerShell script. It disables security and forensic software, restarts the machine in safe mode to evade detection, and then employs AES-256 encryption to lock files. Researchers have noticed that MedusaLocker has been used by various ransomware operations, including AvosLocker, BlackCat, Trigona, and LockBit. These operations have caused significant disruptions and damage across multiple sectors, reinforcing the need for robust cybersecurity measures. As these threats continue to evolve, it is crucial to remain vigilant and invest in proactive defenses against such malicious software.

Description last updated: 2024-08-14T09:46:50.092Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Medusa	2	Medusa, a malicious threat actor known for its ransomware attacks, has been increasingly active and dangerous. This group was responsible for a significant rise in data leaks and multi-extortion activities throughout 2023. Medusa, along with other ransomware groups like LockBit and ALPHV (BlackCat),

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

RaaS

Encrypt

Encryption

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Lockbit	Unspecified	2	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc

Source Document References

Information about the MedusaLocker Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	2 months ago	FIN7 group advertises new EDR bypass tool on hacking forums
Securityaffairs	2 months ago	FIN7 group advertises new EDR bypass tool on hacking forums
CERT-EU	10 months ago	The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
CERT-EU	8 months ago	Ransomware victims are being offered payment extension plans as groups ratchet up pressure \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Unit42	8 months ago	Medusa Ransomware Turning Your Files into Stone
CERT-EU	a year ago	Ransomware and phishing attacks continue to plague businesses in Southeast Asia \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Hackers attack PhilHealth’s website, systems \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	The Week in Ransomware - October 20th 2023 - Fighting Back
CERT-EU	10 months ago	Medusa Claims Canadian Psychological Association Cyberattack
Quick Heal Technologies Ltd.	a year ago	MedusaLocker Ransomware: An In-Depth Technical Analysis and Prevention Strategies
CERT-EU	a year ago	MEDUSA Cyber Attacks: Two New Victims Added To The List!
CERT-EU	a year ago	PhilHealth hit by ransomware – report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	The Week in Ransomware - March 10th 2023 - Police Take Action
CERT-EU	a year ago	Nine looks for new cyber security director
CERT-EU	a year ago	French town of Sartrouville recovering from cyberattack claimed by ransomware gang
CERT-EU	a year ago	Philippines state health org struggling to recover from ransomware attack
CERT-EU	a year ago	French town of Sartrouville recovering from cyberattack claimed by ransomware gang \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	What doToyota's data breaches teach us about cybersecurity? \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	The Week in Ransomware - December 1st 2023 - Police hits affiliates
CERT-EU	9 months ago	86% of cyberattacks are delivered over encrypted channels - Help Net Security